Monthly Archives: September 2009

Google Analytics, or my preferred name for it “google anal-tics”, is a service designed to provide web site owners with statistics about visitors movements on their site. One would think this is a simple and ordinary enough service and nothing to worry about.

However, I have two issues with this:

First, to achieve this data gathering, a web site is required to load on each web page of interest a Javascript file called urchin.js from Google or the more advanced ga.js file. Essentially a web site is telling your browser to execute some remote 3rd party script on your system. This is a BAD idea in terms of security, since it might be possible to hijack that script in transit and replace it with attack / hack code. Also the script is not loaded securely via HTTPS, so no certificate authentication or validation of any kind is done; just blind trust that google-analytics.com has not been hijack by DNS cache poisioning or that some intermediate web proxy hasn’t been compromised.

Second, I am interested in protecting my privacy online as much as possible these days. I already have a pretty big online foot print dating as far back as 1986; regardless I see it as my right to restrict data collected about me. So whenever a web site asks for HTTP cookies, Flash Cookies (How to Manage Flash Settings), tries to load advertising, or track my movements through scripts and/or cookies, I’ll go out of my way to block that from happening.

So when a web site loads urchin.js or ga.js, it is going to communicate information about visitors back to Google. I find this an invasion of my online privacy. What I do online is my business, not Google’s. Google already has enough data about what search terms I look for (this can be controlled through Google, though who knows if it is honoured or not). Frankly I don’t think Google or any other 3rd party advertiser needs to know where and what the frack I’m doing.

Simple solution: use a URL blocker, like Bork Bork Bork! orAdblock Plus, to block urchin.js, ga.js, and/or anything from google-analytics.com from being accessed. If you don’t want to use a URL block, this can also be achieved by adding to the Unix or Mac OS X /etc/hosts file (Windows has an equivalent C:\WINDOWS\system32\drivers\etc\hosts) and add an entry like:

127.0.0.1 www.google-analytics.com

Most webs sites where google-analytics.com has been blocked are designed well enough to continue functioning. However, there are a small handful of web sites that refuse to do anything when the tracking code is not loaded. Typical bad design on the web sites part. In the end I see Google Anal-Tics as evil and chose not to do business with web sites that expect me to put up with that shit.